Spring Security(十三):5.2 HttpSecurity
Thus far our WebSecurityConfig only contains information about how to authenticate our users. How does Spring Security know that we want to require all users to be authenticated? How does Spring Security know we want to support form based authentication? The reason for this is that the WebSecurityConfigurerAdapter
provides a default configuration in the configure(HttpSecurity http)
method that looks like:
protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin() .and() .httpBasic(); }
The default configuration above:
- Ensures that any request to our application requires the user to be authenticated
-
确保对我们的应用程序的任何请求都要求用户进行身份验证
- Allows users to authenticate with form based login
-
允许用户使用基于表单的登录进行身份验证
- Allows users to authenticate with HTTP Basic authentication
-
允许用户使用HTTP基本身份验证进行身份验证
You will notice that this configuration is quite similar the XML Namespace configuration:
<http> <intercept-url pattern="/**" access="authenticated"/> <form-login /> <http-basic /> </http>
The Java Configuration equivalent of closing an XML tag is expressed using the and()
method which allows us to continue configuring the parent. If you read the code it also makes sense. I want to configure authorized requests and configure form login and configure HTTP Basic authentication.
5.3 Java Configuration and Form Login (Java配置和表单登录)
You might be wondering where the login form came from when you were prompted to log in, since we made no mention of any HTML files or JSPs. Since Spring Security’s default configuration does not explicitly set a URL for the login page, Spring Security generates one automatically, based on the features that are enabled and using standard values for the URL which processes the submitted login, the default target URL the user will be sent to after logging in and so on.
protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") 1 .permitAll(); 2 }
formLogin().permitAll()
method allows granting access to all users for all URLs associated with form based log in.The login page below represents our current configuration. We could easily update our configuration if some of the defaults do not meet our needs.
<c:url value="/login" var="loginUrl"/> <form action="${loginUrl}" method="post"> 1 <c:if test="${param.error != null}"> 2 <p> Invalid username and password. </p> </c:if> <c:if test="${param.logout != null}"> 3 <p> You have been logged out. </p> </c:if> <p> <label for="username">Username</label> <input type="text" id="username" name="username"/> 4 </p> <p> <label for="password">Password</label> <input type="password" id="password" name="password"/> 5 </p> <input type="hidden" 6 name="${_csrf.parameterName}" value="${_csrf.token}"/> <button type="submit" class="btn">Log in</button> </form>
1、A POST to the /login
URL will attempt to authenticate the user
2、If the query parameter error
exists, authentication was attempted and failed
logout
exists, the user was successfully logged out